A security issue fixed upstream in ruby-rest-client has been announced: http://openwall.com/lists/oss-security/2015/03/24/3 The issue is fixed upstream in 1.8.0. Mageia 4 and Mageia 5 are affected. Nothing requires or BuildRequires this package, so we could drop it in Cauldron... Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
There is also an issue with logging passwords in plaintext: http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html from http://lwn.net/Vulnerabilities/640614/
Dropped from Cauldron for now.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
version 1.8.0 just pushed in 4 core/updates_testing
CC: (none) => mageia
(In reply to David Walser from comment #1) > There is also an issue with logging passwords in plaintext: > http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html > > from http://lwn.net/Vulnerabilities/640614/ Confirmed this fix is also in 1.8.0. According to the OpenSuSE bug, this is CVE-2015-3448. They also have a reproducer attached to their bug: https://bugzilla.suse.com/show_bug.cgi?id=917802 I don't see any PoCs for CVE-2015-1820.
Summary: ruby-rest-client new security issue CVE-2015-1820 => ruby-rest-client new security issues CVE-2015-1820 and CVE-2015-3448
Updated package uploaded for Mageia 4. Please see the previous comments for more information. Advisory: ======================== Updated ruby-rest-client packages fix security vulnerability: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration. This can be used in a session fixation attack or in stealing cookies (CVE-2015-1820). REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information (CVE-2015-3448). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1820 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3448 https://bugzilla.redhat.com/show_bug.cgi?id=1205291 http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html ======================== Updated packages in core/updates_testing: ======================== ruby-rest-client-1.8.0-1.mga4 ruby-rest-client-doc-1.8.0-1.mga4 from ruby-rest-client-1.8.0-1.mga4.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugsSeverity: normal => major
Testing mga4 32 # ecupdt Enabling Core Updates Testing # urpmi ruby-rest-client ruby-rest-client-doc Package ruby-rest-client-1.6.7-7.mga4.noarch is already installed A requested package cannot be installed: ruby-rest-client-1.8.0-1.mga4.noarch (due to unsatisfied rubygem(netrc)[< 1]) Continue installation anyway? (Y/n) n
Whiteboard: (none) => feedback
I guess this update will need to be reverted and it will need to be patched. CVE-2015-1820: https://github.com/rest-client/rest-client/commit/6c6b8f2fc0f1796ba4265ce90adc87eecbb83aec CVE-2015-3448: https://github.com/rest-client/rest-client/commit/60ae4a5373e574bdeacd7b526c72f4e7d0ca858f
i am working on this
additionnal src.rpm: ruby-netrc and ruby-http-cookie
tested here and it installs fine.
Why are we importing extra packages to upgrade rather than patching? Is patching infeasible for this Nicolas?
I'm not sure where the netrc dependency comes from, but solving the security issue requires importing http-cookie anyway, so we might as well go with it. Advisory: ======================== Updated ruby-rest-client packages fix security vulnerability: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration. This can be used in a session fixation attack or in stealing cookies (CVE-2015-1820). REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information (CVE-2015-3448). The ruby-rest-client package has been updated to version 1.8.0, fixing these issues and several other bugs. Refer to the upstream changelog for more details. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1820 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3448 https://github.com/rest-client/rest-client/blob/master/history.md https://bugzilla.redhat.com/show_bug.cgi?id=1205291 http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html ======================== Updated packages in core/updates_testing: ======================== ruby-rest-client-1.8.0-1.mga4 ruby-rest-client-doc-1.8.0-1.mga4 ruby-netrc-0.10.3-1.mga4 ruby-netrc-doc-0.10.3-1.mga4 ruby-http-cookie-1.0.2-1.mga4 ruby-http-cookie-doc-1.0.2-1.mga4 from SRPMS: ruby-rest-client-1.8.0-1.mga4.src.rpm ruby-netrc-0.10.3-1.mga4.src.rpm ruby-http-cookie-1.0.2-1.mga4.src.rpm
Whiteboard: feedback => (none)
Still can't install these. error: Failed dependencies: rubygem(domain_name) < 1 is needed by ruby-http-cookie-1.0.2-1.mga4.noarch rubygem(domain_name) >= 0.5 is needed by ruby-http-cookie-1.0.2-1.mga4.noarch Besides the PoC for the password issue, a simple test for this is: restclient get http://www.mageia.org/
PoC: https://bugzilla.suse.com/show_bug.cgi?id=917802#c7
MGA4-32 on Acer D620 Xfce No installation issues At CLI: > restclient get http://www.mageia.org/ /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- restclient (LoadError) from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/ruby/gems/gems/rest-client-1.8.0/bin/restclient:6:in `<top (required)>' from /usr/bin/restclient:23:in `load' from /usr/bin/restclient:23:in `<main>' Something missing?
CC: (none) => herman.viaene
OK, I got it to install too. I also get that LoadError. Nicolas is looking at it.
I am looking at this as well - same LoadError. Shall try PoC re comment 14 - after test.
CC: (none) => tarazed25
The reproducer fails in the same way. Shall try some temporary hacks to the code to see if there is a typo somewhere.
i am looking to this pb. Seems some missing files somewhere
It looked like there might be a missing gem. rubygem-rest-client does not exist so how about: gem install rest-client That worked; the PoC reproducer returned text containing the REDACTER string and a whole lot more. David's simple test returned what might be cgi or xml. Shall post files.
We don't use "rubygem" in our package names, we just use "ruby" so your gem install command just installed from upstream the same thing we are testing in this package.
Created attachment 6538 [details] Simple test of restclient get restclient get http:/www.mageia.org/ > mageia.txt The update should include a requirement for the rest-client gem. In mga5 rubygems is included by default if ruby is installed from the iso. It probably is in mga4 as well.
This update *is* the rest-client gem, that's what the ruby-rest-client package is.
Created attachment 6539 [details] "after" output from PoC test ruby test-osvdb-117461.rb > reproducer.txt This raises a 404 error which prompts a stack trace on STDERR.
(In reply to Len Lawrence from comment #24) > Created attachment 6539 [details] > "after" output from PoC test > > ruby test-osvdb-117461.rb > reproducer.txt > > This raises a 404 error which prompts a stack trace on STDERR. The 404 is expected. The REDACTED that you see in the output is the desired output if the security issue is fixed, as opposed to "password" which you saw before the update.
@ comment 23; my apologies David. So this is a weird result. I installed it twice and the second time it worked. ?? Yes, I know "rubygem" is not used - I was simply referring to the text of the PoC and wondered if rest-client was missing. I did not think to look inside the rpm. I also had problems installing the package. I tried before enabling core updates testing and got nothing so had to go to the distrib-coffee site to download the rpms from core/updates_testing. I was more interested in why you and Nicolas had those load errors. Just trying to help. That question is not really resolved though.
Please test next ruby-rest-client rpm.
Len, thanks for testing, we do need that. The only thing you did wrong was using gem install to install the rest-client gem from upstream, as we're supposed to be testing the packaged version. Your test that showed that the package is broken was correct. It's being worked on. You'll need to remove the one you installed with gem install to test the package again.
Correcting the package list and reposting the advisory. Advisory: ======================== Updated ruby-rest-client packages fix security vulnerability: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration. This can be used in a session fixation attack or in stealing cookies (CVE-2015-1820). REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information (CVE-2015-3448). The ruby-rest-client package has been updated to version 1.8.0, fixing these issues and several other bugs. Refer to the upstream changelog for more details. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1820 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3448 https://github.com/rest-client/rest-client/blob/master/history.md https://bugzilla.redhat.com/show_bug.cgi?id=1205291 http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html ======================== Updated packages in core/updates_testing: ======================== ruby-rest-client-1.8.0-2.mga4 ruby-rest-client-doc-1.8.0-2.mga4 ruby-netrc-0.10.3-1.mga4 ruby-netrc-doc-0.10.3-1.mga4 ruby-http-cookie-1.0.2-1.mga4 ruby-http-cookie-doc-1.0.2-1.mga4 from SRPMS: ruby-rest-client-1.8.0-2.mga4.src.rpm ruby-netrc-0.10.3-1.mga4.src.rpm ruby-http-cookie-1.0.2-1.mga4.src.rpm
Working fine now Mageia 4 i586, confirmed the password issue is fixed.
Whiteboard: feedback => has_procedure MGA4-32-OK
Started again and ran the PoC test Before: "user:password@example.com" Afterwards: "user:REDACTED@example.com" OK for Mageia 4 x86_64.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Well done all. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0227.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/644888/